The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information."spear phishing represents a serious threat for every industry"

How does this serious threat effect your organization? We’ve built a detailed analysis of how one adversary takes a very personal approach to the classic supply chain attack. It analyzes the attack end to end, using the Cyber Kill Chain® analysis framework, including review of how a targeted email was delivered and weaponized.

Note: All names are fictional, and any resemblance to real people or companies is unintentional.

An adversary has successfully carried out a cyber-attack, the proverbial stuff has hit the fan, and it’s all hands on deck to figure out what happened. Unfortunately, it’s not until this type of incident response happens that organizations perform any type of analysis. The silver lining is that these situations can provide invaluable understanding of the threats facing an environment; however, they’re costly, both in terms of time and effort and impact to the business.

Unbeknownst to most organizations, just as much (and likely much more) insight can be gained from identifying and analyzing the attacks that fail. Analyzing what happened and what could have happened means defenders can gain a better understanding of how an adversary operates, and then use that knowledge to defend against that adversary and others like them.

So why aren’t more organizations doing this type of valuable analysis?

One of the most compelling questions asked today by security operations is, “Can we enable our analysts to make security decisions that will have a positive impact on the overall security posture of our organization?” The short answer is, “Yes. But it’s not easy.”

“You will never reach your destination if you stop and throw stones at every dog that barks.” – Sir Winston Churchill

This summer our team has been traveling the globe with our message of cyber enlightenment. Through real-world accounts of how we’ve helped some of the world’s most prominent companies mature their cybersecurity posture, our analysts have inspired hope and doled out practical steps both practitioners and leadership can take to shore up their networks.

“You can’t buy the Cyber Kill Chain®, but you can buy into it.”

After reviewing key findings from the NTT Group’s 2016 Global Threat Intelligence Report including an incident response case study in which a team effectively leveraged the Cyber Kill Chain analysis framework to better understand each phase of the attack and gain a comprehensive picture of the adversary’s tactics, techniques and procedures. The mid-size financial client, code named Peaceful Panda Financial Corporation (PPFC), did not know they were breached until day 65 of the attack.

Below I walk through the seven successful steps the adversary took before posting sensitive PPFC data to a PasteBin site.

This year’s Global Threat Intelligence Report (GTIR) provides organizations the data needed to disrupt attacks. Solutionary, an NTT Group company, partnered with Lockheed Martin on their 5th annual GTIR. 2016 is the first year the report included partners with the goal of an expanded view of the threat landscape, and more analysis of attacks, threats and trends from last year. The 2016 GTIR includes information from 24 security operations centers, seven R&D centers, 3.5 trillion logs, 6.2 billion attacks, and 8,000 security clients across 6 continents.

The report uses last year’s attack information and the Lockheed Martin Cyber Kill Chain to highlight practical application of the Cyber Kill Chain and explain a comprehensive strategy to enable effective security across the entire organization.

As previously discussed (TIP Defined blog post), a properly employed Threat Intelligence Platform can enable an organization to take a more effective approach to computer network defense. In this post we will delve a bit deeper into how a Threat Intelligence Platform (TIP) can act as a tool for incident response and investigations, becoming a central hub for SOC operations performing with an Intelligence Driven Defense®mindset.

Arguably one of the most important aspects of cybersecurity is Threat Intelligence. Yet despite its importance, this particular discipline as part of a solid security posture is often underestimated in terms of importance.

The consulting company, Forrester, defines threat intelligence as the details of the motivations, intent and capabilities of internal and external threat actors. Forrester extends their definition of Threat Intelligence to include specifics on the tactics, techniques and procedures that hackers and Advanced Persistent Threats employ within their attacks. - Threat Intelligence Buyer’s Guide SANS CTI Summit, 10 February 2014.